| Preface | p. xvi |
| Introduction | p. xviii |
| What Is a Virtual Private Network? | p. 1 |
| History of Virtual Private Networks | p. 1 |
| How a Virtual Private Network Works | p. 3 |
| Alternative Services | p. 6 |
| Transparent LAN Services (TLS) | p. 6 |
| Secure Remote Procedure Call (RPC) Authentication (SRA) | p. 7 |
| Secure Sockets Layer (SSL) | p. 7 |
| Common Uses of Virtual Private Networks | p. 8 |
| Remote Dial-In Users | p. 8 |
| Branch Office Network Links | p. 8 |
| Internal Networks | p. 10 |
| Other Benefits of Virtual Private Networks | p. 12 |
| Summary | p. 12 |
| Basic Virtual Private Network Deployment | p. 13 |
| Terminology | p. 13 |
| Design Considerations | p. 15 |
| Network Access Is Too Expensive | p. 15 |
| Data Security Concerns | p. 17 |
| Methods of Attack on Network Traffic | p. 18 |
| Virtual Private Network Deployment | p. 24 |
| Network Design Concepts with Tunneling | p. 27 |
| Network Infrastructure | p. 27 |
| Network Topology | p. 28 |
| Firewalls | p. 29 |
| Summary | p. 29 |
| VPN Features in Windows 2000 | p. 31 |
| Active Directory | p. 32 |
| PPTP | p. 33 |
| L2TP | p. 34 |
| IPSec | p. 35 |
| Internet Key Exchange (IKE) | p. 37 |
| NAT | p. 37 |
| Connection Manager | p. 38 |
| Certificate Server | p. 38 |
| Dynamic DNS | p. 39 |
| Highly Configurable Network Traffic | p. 40 |
| Easier Router Configuration | p. 40 |
| Summary | p. 41 |
| Point-to-Point Tunneling Protocol (PPTP) | p. 43 |
| How PPTP Works | p. 44 |
| PPP Features | p. 44 |
| Putting the PPTP Basics Together | p. 46 |
| PPTP Encryption | p. 46 |
| PPTP Security | p. 47 |
| Performance Gains | p. 51 |
| Summary | p. 65 |
| Certificates | p. 67 |
| What Is a Certificate Server? | p. 67 |
| Digital Signatures | p. 69 |
| X.509 Version 3 Certificates | p. 70 |
| Certificate Authority | p. 70 |
| CA Trust and Hierarchy | p. 71 |
| Rooted Hierarchies | p. 72 |
| Cross Certification Hierarchy | p. 72 |
| Certificate Enrollment | p. 73 |
| Certificate Verification | p. 74 |
| Certificate Revocation | p. 75 |
| Certificate Storage Model | p. 75 |
| Implementing Certificate Server for Virtual Private Networks | p. 77 |
| Windows 2000 Certificate Procedures | p. 79 |
| Summary | p. 99 |
| Internet Protocol Security (IPSec) | p. 101 |
| IPSec Communication | p. 102 |
| Transport Mode | p. 102 |
| Tunnel Mode | p. 103 |
| The IPSec Driver and the TCP/IP Stack | p. 104 |
| Authentication Header | p. 106 |
| Encapsulating Security Payload (ESP) | p. 107 |
| Application Independence | p. 109 |
| IPSec versus SSL | p. 111 |
| Choosing an IPSec Environment | p. 111 |
| Additional Information About IPSec Tunnel Mode | p. 112 |
| Managing IPSec Policies | p. 113 |
| Bringing the Whole IPSec Picture Together | p. 114 |
| End-to-End Security Between Two Systems in a Domain | p. 119 |
| Creating a Custom IPSec Policy | p. 122 |
| Setting Up an IPSec Tunnel Linking Two Sites | p. 126 |
| Configuring the Destination Gateway | p. 135 |
| Testing and Observing Your IPSec Policy | p. 140 |
| Enable IPSec Logging | p. 142 |
| Creating Many IPSec Policies | p. 143 |
| Summary | p. 144 |
| Layer 2 Tunneling Protocol (L2TP) | p. 145 |
| Goals for Windows 2000 L2TP/IPSec | p. 145 |
| L2TP versus PPTP | p. 146 |
| Transport | p. 147 |
| Authentication | p. 147 |
| Delivery | p. 148 |
| Certificates | p. 148 |
| Address Translation | p. 149 |
| L2TP Implementation Details | p. 150 |
| Security | p. 150 |
| L2TP Communications in Detail | p. 151 |
| Authentication | p. 153 |
| L2TP Encryption | p. 153 |
| Internet Key Exchange Settings | p. 154 |
| Altering Encryption Key Behavior | p. 155 |
| Key Lifetimes | p. 156 |
| Session Key Limit | p. 156 |
| Key Exchange Methods (H3) | p. 157 |
| Main Mode Key Exchange | p. 157 |
| Quick Mode Lifetimes | p. 157 |
| Power Management | p. 158 |
| L2TP/IPSec Procedures | p. 158 |
| Summary | p. 166 |
| NAT and Proxy Servers | p. 167 |
| Proxy Server | p. 168 |
| Application Proxy | p. 168 |
| SOCKS Proxy | p. 169 |
| Proxy Server Functions: Speed and Security | p. 169 |
| Speed | p. 169 |
| Security | p. 170 |
| Disadvantages of Proxy Servers | p. 170 |
| Network Address Translation | p. 171 |
| Advantages of NAT | p. 173 |
| Disadvantages of NAT | p. 173 |
| Firewalls | p. 174 |
| Edge Servers | p. 174 |
| Windows 2000 Network Address Translation | p. 175 |
| Windows 2000 Professional: Internet Connection Sharing | p. 175 |
| Windows 2000 Server: Full-Featured NAT | p. 177 |
| Various Server-Side Network Designs | p. 178 |
| Various Client-Side Network Designs | p. 186 |
| Client-Side Firewalls | p. 187 |
| Client-Side NAT Service | p. 188 |
| Using Hybrid Solutions for Client-Side Connections | p. 189 |
| Maintaining Two Connections at the Remote Office Location | p. 190 |
| Using the Proxy Server as the Tunnel Endpoint | p. 192 |
| Using the NAT Server as the Tunnel Endpoint | p. 193 |
| Nesting Tunnels for End-to-End Security from Remote Networks | p. 194 |
| Summary of Distributed Network Designs | p. 195 |
| NAT and Proxy Server Configuration | p. 195 |
| Setting Up Internet Connection Sharing (ICS) | p. 195 |
| Setting Up NAT with RRAS | p. 199 |
| Sharing a VPN Link | p. 207 |
| Summary | p. 208 |
| Connection Manager, Remote Access Policy, and IAS | p. 209 |
| Connection Manager | p. 210 |
| Using the Connection Manager | p. 210 |
| Requirements | p. 212 |
| Implementation | p. 213 |
| Remote Access Policies | p. 213 |
| Dial-In Properties of a User Account | p. 214 |
| Windows 2000 Remote Access Policy | p. 216 |
| Conditions | p. 216 |
| Permission | p. 218 |
| Profile | p. 219 |
| Remote Access Policies and Windows NT 4.0 RRAS Server | p. 225 |
| Internet Authentication Service (IAS) | p. 226 |
| Windows NT Implementation | p. 226 |
| Windows 2000 Implementation | p. 226 |
| IAS Features | p. 227 |
| Integration with RRAS | p. 228 |
| When Should Your Network Use RADIUS? | p. 228 |
| Installing and Configuring IAS | p. 229 |
| Summary | p. 233 |
| Routing and Filtering | p. 235 |
| Windows 2000 Routing | p. 235 |
| Types of Routing in Windows 2000 | p. 236 |
| Secure Routed Connections | p. 239 |
| Client-Side Routing | p. 240 |
| Default Gateway | p. 240 |
| Invalid Persistent Routes | p. 244 |
| Routing Issues | p. 246 |
| Routing Security | p. 247 |
| Pushing the Envelope with Client-Side Routing | p. 247 |
| Automatic Private IP Addressing (APIPA) | p. 249 |
| Tunnels and Routing | p. 251 |
| Packet Filtering | p. 252 |
| Placing the Tunnel Server in Front of the Firewall | p. 253 |
| Protecting Internal Resources | p. 254 |
| Placing the Tunnel Server Behind the Firewall | p. 256 |
| Summary | p. 259 |
| Name Resolution in Windows 2000 | p. 261 |
| Name Resolution for Tunnel Clients | p. 262 |
| Name Resolution for Home LAN/Branch Office | p. 265 |
| Configuring a DNS for a Home LAN/Branch Office Environment | p. 267 |
| Name Resolution for Disjointed Networks | p. 269 |
| Name Resolution for a VPN-Based Active Directory Environment | p. 271 |
| Happy VPN Networks--A case Study | p. 272 |
| Relationship Between the Branch Office Name Servers | p. 276 |
| Summary | p. 277 |
| Active Directory Design in VPNs | p. 279 |
| Replication | p. 281 |
| The Knowledge Consistency Checker | p. 281 |
| Forcing Replication Manually | p. 284 |
| Urgent Active Directory Replication | p. 284 |
| Single Master Replication and VPNs | p. 284 |
| Optimization | p. 285 |
| Site Design | p. 287 |
| Site Design for VPNs | p. 287 |
| Site Topology | p. 288 |
| Site Topology Components | p. 289 |
| Deploying the AD | p. 291 |
| Mapping IP Addresses | p. 291 |
| Mapping Firewall/NAT IP Ports for Active Directory | p. 292 |
| SMTP Replication | p. 294 |
| Linking Sites with a VPN | p. 295 |
| Conclusions | p. 296 |
| The Happy VPN Model | p. 296 |
| Summary | p. 298 |
| History and Context of Virtual Private Networking | p. 301 |
| The Early Years | p. 301 |
| ISPs | p. 302 |
| Private Networks | p. 303 |
| OSI Reference Model | p. 303 |
| The Physical Layer | p. 305 |
| The Data Link Layer | p. 305 |
| The Network Layer | p. 306 |
| The Transport Layer | p. 306 |
| The Session Layer | p. 307 |
| The Presentation Layer | p. 307 |
| The Application Layer | p. 308 |
| VPN-Related RFCs | p. 308 |
| Troubleshooting | p. 313 |
| Troubleshooting Factors | p. 313 |
| PPTPCLNT and PPTPSRV | p. 315 |
| Performance | p. 315 |
| Common Issues and Troubleshooting Tips | p. 316 |
| Enable Logging on the RRAS Server | p. 317 |
| Troubleshooting IPSec | p. 318 |
| Network Monitor | p. 318 |
| Port Scanners | p. 319 |
| Summary | p. 319 |
| Windows 2000 to Cisco IOS IPSec Connectivity | p. 321 |
| Network Setup | p. 322 |
| Windows 2000 Security Policy Configuration | p. 323 |
| Cisco IPSec Configuration | p. 336 |
| Testing | p. 340 |
| Summary | p. 342 |
| VPN and Network Futures | p. 343 |
| Predicting VPN and Windows Trends | p. 343 |
| Index | p. 347 |
| Table of Contents provided by Syndetics. All Rights Reserved. |
